Bugtraq mailing list archives
Re: Announcement: Solaris loadable kernel module backdoor
From: pedward () WEBCOM COM (pedward () WEBCOM COM)
Date: Tue, 21 Dec 1999 14:33:50 -0800
With the proliferation of these types of backdoors, is there any way to prevent your 'r00t3d' box from being backdoored? A simple approach for Linux would be something like this: At boot, compile the list of modules that are 'known good' (for the sake of argument, it's the /lib/modules/x.y.z), then write the list, with MD5 checksums, to a write once /proc interface to kmod. kmod would check the MD5 sum before loading the requested module, if it didn't match the in-kernel list, don't allow it. For the write once, you'd have a 0600 /proc entry, that upon writing a ^D, it would change it to 0000. For the really paranoid, at compile time you could tar up all the modules and create the MD5 sum of that, store it in the kernel at some spot, and modify the module utils to read tarfiles. If the MD5 sum of the tarfile doesn't match the compiled in list, you can't load the module. Any other ideas on preventing untrusted modules from being loaded or replaced and loaded as an existing 'trusted' module? --Perry
I'd like to announce in addition to the two THC articles covering Linux and FreeBSD loadable kernel module backdoors the first public loadable kernel module backdoor for Solaris. Regards, Plasmoid / THC http://www.infowar.co.uk/thc http://www.pimmel.com
-- Perry Harrington Director of zelur xuniL () perry () webcom com System Architecture Think Blue. /\
Current thread:
- SSH-1.2.27 & RSAREF2 exploit, (continued)
- SSH-1.2.27 & RSAREF2 exploit Iván Arce (Dec 14)
- SSH 1 Why? Daniel P. Zepeda (Dec 14)
- Re: SSH 1 Why? Emiliano Kargieman (Dec 15)
- Re: SSH 1 Why? Emiel Kollof (Dec 15)
- Re: SSH 1 Why? Iván Arce (Dec 16)
- Re: SSH 1 Why? R. J. Wysocki (Dec 18)
- Groupewise Web Interface Sacha Faust Bourque (Dec 19)
- Re: Groupewise Web Interface Raymond Dijkxhoorn (Dec 20)
- Re: Groupewise Web Interface Bayard G. Bell (Dec 21)
- Announcement: Solaris loadable kernel module backdoor plasmoid (Dec 20)
- Re: Announcement: Solaris loadable kernel module backdoor pedward () WEBCOM COM (Dec 21)
- Re: Announcement: Solaris loadable kernel module backdoor Marc Esipovich (Dec 22)
- Re: Announcement: Solaris loadable kernel module backdoor Steven Alexander (Dec 23)
- Re: Announcement: Solaris loadable kernel module backdoor Rainer Link (Dec 22)
- Re: Announcement: Solaris loadable kernel module backdoor Keith Owens (Dec 22)
- Re: Groupewise Web Interface satherrl () MAILPOINT DSSRG CURTIN EDU AU (Dec 21)
- Norton Email Protection Remote Overflow (Addendum) Matt Conover (Dec 20)
- procmail / Sendmail - five bugs Michal Zalewski (Dec 23)
- Re: procmail / Sendmail - five bugs Rob Jones (Dec 20)
- Re: procmail / Sendmail - five bugs Michal Zalewski (Dec 22)
- FTPPro insecuities The Wall (Dec 27)